See also: last week's Security page.

Security

News

XDM Insecurity revisited was the topic of a discussion on Bugtraq this week started by Jochen Bauer. He pointed out that the first report of XDM security problems was made in November of 1997 by Eric Augustus. Despite this, recent versions of Digital Unix, SuSE Linux and Red Hat Linux (among probably others) still ship with an Xaccess file that is insecure by default.

Suggestions for securing gdm or xdm were made. Overall, though, it was recommended that anyone using xdm or gdm block UDP port 177 on their firewall. Hopefully, the distributions will take a look at this issue and take measures to better secure their base distributions.

Kurt's Closet is a new column on SecurityPortal; the inaugural article is about Linux and encryption. "If an attacker manages to get access to your backup tapes, or gains physical access to a server, your data is suddenly very insecure, despite file permissions. Or if an attacker puts a laptop with sniffing software on your internal network, all that money you spent on securing the fileserver is much wasted. Encrypting your data can solve these problems."

In the growing conflict between law enforcement concerns and privacy issues in the digital age, a Justice Department proposal, to be dubbed the Cyberspace Electronic Security Act (CESA), seeks to extend authorization to law enforcement to decrypt information that it has legally seized. "A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. " As reported by ZDNN, however, concern is that the bill provides for surreptitious surveillance, by allowing law enforcement officials to break into someone's house, for example, and disable the encryption on someone's computer without informing them, widening the now-rare use of such "wire-tapping" authorizations. CNN and TechWeb also commented upon the bill, outlining concerns from privacy groups.

Meanwhile, it was interesting to note that the original bill carefully states,

"this Act is not intended to make it unlawful for any person to use encryption in the United States for otherwise lawful purposes, regardless of the encryption algorithm selected, key length chosen, or implementation technique or medium used. Similarly, this Act is not intended to require anyone to use third parties for storage of decryption keys, and this Act does not establish any regulatory regime for entities engaging in such an activity. Finally, this Act is not intended to affect export controls on cryptographic products."

Security Reports

Several vulnerabilities were reported to Bugtraq by Michal Zalewski in this posting. Two of them have been confirmed and recorded as new vulnerability in the Bugtraq vulnerability database.

The first involves a problem with pt_chown, a setuid program that supports non-suid programs that don't have devpts support. Terminal hijacking may be possible as a consequence, along with a root compromise. Until a patch for pt_chown has been made available, the recommended solution is to change the permissions on /usr/libexec/pt_chown. Red Hat 6.0 is vulnerable to this problem.

In addition, Michal reported a new vulerability in wu-ftpd.

QMS 2060 printers allow passwordless access to their root account. This can be exploited to produce a denial-of-service attack or to use resources without proper logging. Check the Bugtraq vulnerability database entry for more details.

Updates

The second advisory reported a buffer overflow in the termcap library, discovered by the Linux Security Audit Team. The advisory indicates that Caldera OpenLinux 2.2 is not vulnerable to this buffer overflow, so OpenLinux users are not affected.

The advisories on August 23rd covered the XDM issue mentioned above, for which they recommend modifying the Xaccess file, and new netkit-telnet and ncurses packages to correct the in.telnetd problem we mentioned in last week's Security Summary.

Debian updates. Debian also issued an advisory about the issues with the termcap library. Since they have abandoned the use of termcap for terminfo, Debian is generally not impacted. However, if you have compiled your own programs using termcap, you will want to upgrade to their new termcap-compat package.

Four additional advisories from Debian came out, including a potential problem with rsync, and /tmp file handling problems with smtp-refuser, trn and man2html. Upgrades are recommended for all four of these issues.

Debian also issued a comment regarding security problems with seyon, why they cannot issue a fix for them. They recommend that seyon users switch to using minicom instead.

Mandrake updates. Mandrake also issued updated isdnutils packages as a result of the problem with xmonisdn. Check near the bottom of their updates page for more details.

Red Hat updates. Red Hat issued an advisory about problems with in.telnetd, reported by the Linux Security Audit Team. An updated package, telnet-0.10-29, is provided. More information on the problem can be found in last week's Security Summary.

In addition, two more advisories were published on August 25th. One of them addresses the problems mentioned with wu-ftpd while the other address a buffer overflow in crond which could allow a local user access to root privileges. Upgrading to the packages listed in the advisories is recommended.

SuSE updates. No SuSE security updates have been listed since June 30th, 1999.

Resources

Events

Section Editor: Liz Coolbaugh

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Debian Alerts
Red Hat Errata
SuSE Announcements

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

Next: Kernel